US11533320B2 - Optimize compliance evaluation of endpoints - Google Patents
Optimize compliance evaluation of endpoints Download PDFInfo
- Publication number
- US11533320B2 US11533320B2 US16/808,967 US202016808967A US11533320B2 US 11533320 B2 US11533320 B2 US 11533320B2 US 202016808967 A US202016808967 A US 202016808967A US 11533320 B2 US11533320 B2 US 11533320B2
- Authority
- US
- United States
- Prior art keywords
- compliance
- compliance information
- network appliance
- network
- endpoint device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- This disclosure relates to network devices, and in particular, access control for network devices.
- Network control devices such as Network Access Control (NAC) devices, Virtual Private Network (VPN) controllers, and Software Defined Perimeter (SDP) controllers, of private networks intercept end user requests for network access.
- NAC Network Access Control
- VPN Virtual Private Network
- SDP Software Defined Perimeter
- a network control device provides network access control for on-premise access requests.
- On-premise access requests are characterized as access requests that are receive through a network control device or access point that is considered part of the private network infrastructure.
- off-premise access requests for access originate from network control devices or access points that are outside the private network infrastructure.
- some of the private network infrastructure may include network control devices that are connected to the private network over a VPN tunnel and some of the on premise authorization and authentication activity may utilize VPN tunnels that are already part of the private network.
- Conventional network control devices intercept network access requests and perform and/or manage identifying information checks (e.g., username and password checks and/or certificate checks) to authenticate a user and/or a device used by the user. That is, network control devices may perform authentication to determine whether the end user device and its user are authorized to use the network. Initial exchanges between the end user device and the network control device are typically over the data-link layer or layer 2 (L2) of the OSI model. If the end user device is authorized to access the private network, based on the authorization check performed by the network control device on L2, the network control device approves or authorizes the end user device limited access to the private network but only on L2.
- identifying information checks e.g., username and password checks and/or certificate checks
- a policy compliance check of the end user device is generally performed at higher OSI model layer, e.g. L3 the L7.
- the network control device performs a compliance check of the end user device to determine if the end user device is in compliance with current policies of the enterprise network.
- the current policies may be stored on the network control device or on a separate policy server in communication with the network control device. If the end user device is found to be in compliance with current policies of the private network, the network control device grants the end user device a higher level of access (e.g., full access) to the private network.
- the network control device may deny the end user device access to the private network, or at least until the end user device has been brought into compliance, e.g., by providing the end user device with access to a remediation server or module to be used to bring the end user device into compliance.
- the current policies may include, an acceptable operating system updated to a particular revision or other update state, an acceptable virus/malware/spyware protection program updated to a particular revision or update state, an agent module of the private network operating on the end user device wherein the agent module operates to evaluate a policy compliance state of the end user device, or the like, a firewall type and its settings, a browser type and its settings, or the like. Additionally or alternatively, the current policies may require that certain applications—plugins, add-ons, or the like—are not running on the end user device.
- a conventional network control device associated with a private network may include an authorization module, or may outsource authorization to an authorization module operating on another device included other devices outside the private network infrastructure such as authentication server.
- a conventional network control device associated with a private network may include a policy module and/or a policy authentication module, or may outsource policy authentication to an authentication module operating on another device included other devices outside the private network infrastructure such as authentication server.
- Remote Authentication Dial-In User Service is a conventional client/server protocol and software that enables remote access services, e.g., an end user device, to communicate with a central server, such as a network control device, to authenticate remote users and authorize their access to the requested system or server.
- the RADIUS protocol is widely used and is preferred by many private network administrators.
- the RADIUS protocol at least requires a point-to-point protocol (PPP) connection between the RADIUS client and the end user device, which at least requires establishing a network layer connection or a layer 3 (L3) connection on the Open System Interconnection (OSI) model.
- PPP point-to-point protocol
- L3 layer 3
- the Extensible Authentication Protocol (EAP) and the Extensible Authentication Protocol over LAN (EAPOL), each defined in IEEE 802.1x, are conventional authorization and authentication protocols usable as an interface between an end user device and a RADIUS client to facilitate authorization and/or authentication of end user devices attempting to access a private network from a LAN and WLAN using the RADIUS protocol and/or a RADIUS server.
- One part of the authorization and authentication process of EAP and EAPOL is carried out over an L2 connection, and another part of the authorization and authentication process is carried out over an L3 connection.
- the authorization and authentication are conducted as two separate and unrelated events that are not tied together.
- this disclosure describes techniques for determining whether to grant a user device access to a network.
- the user device initially provides authentication credentials to a network appliance, such as a Network Access Control (NAC) device, a Virtual Private Network (VPN) controller or a Software Defined Perimeter (SDP) controller, etc.
- NAC Network Access Control
- VPN Virtual Private Network
- SDP Software Defined Perimeter
- the network appliance (or a server associated with the network appliance) requests compliance details from the user device based on the configured policies.
- a client on the user device then sends the requested compliance information.
- the client also stores the request and/or which compliance information is requested.
- the network appliance Post a security posture evaluation, the network appliance either grants the user device with full network access or limits access along with sending remediation information to the user device to bring it into compliance with the policies.
- the network appliance stores the compliance information in a compliance database. Subsequently, from time to time, the network appliance requests for updated compliance information.
- the client determines which information has changed since the last request, and only sends the compliance information that has changed.
- the network appliance uses the updated compliance information and the compliance information on the compliance database to evaluates compliance of the user device.
- a method includes, in response to receiving, by a network appliance, a first request to access a protected network resource from an endpoint device that includes a client software module configured to communicate with the network appliance, (a) determining which compliance information related to policies associated with a role that was granted as a result of the authentication that was performed earlier, (b) requesting all of the determined compliance information from the client software module (c) evaluating the compliance of the endpoint device based on the compliance information received from the client software module and providing access when the compliance information satisfies the policies, and (d) storing the received compliance information in a database associated with the network appliance.
- the example method also includes, in response to receiving, by the network appliance, a second request to access a protected network resource from the endpoint device, (a) accessing the compliance information of the endpoint device stored in the database, (b) requesting an update from the endpoint device, (c) in response to requesting the update, receiving updated compliance information that includes less than all of the compliance details required by the policies, (d) in response to receiving, by the network appliance, first updated compliance information that includes only updated ones of the compliance details required by the policies, evaluating the compliance of the endpoint device based on the updated compliance information and the compliance information stored in the database to determine an updated compliance state, and (e) providing access based on the updated compliance state.
- a network appliance that enforces one or more policies for accessing a private network
- the network appliance comprising at least one processor is configured to, in response to receiving a first request to access a protected network resource from an endpoint device that includes a client software module configured to communicate with the network appliance, (a) determine which compliance information related to policies associated with a role that was granted as a result of the authentication that was performed earlier, (b) request all of the determined compliance information from the client software module (c) evaluate the compliance of the endpoint device based on the compliance information received from the client software module and providing access when the compliance information satisfies the policies, and (d) store the received compliance information in a database associated with the network appliance.
- the network appliance is also configured to, in response to receiving a second request to access the protected network resource from the endpoint device, (a) access the compliance information of the endpoint device stored in the database, (b) request an update from the endpoint device, (c) in response to requesting the update, receive updated compliance information that includes less than all of the compliance details required by the policies, (d) in response to receiving, by the network appliance, first updated compliance information that includes only updated ones of the compliance details required by the policies, evaluates the compliance of the endpoint device based on the updated compliance information and the compliance information stored in the database to determine an updated compliance state, and (e) provides access based on the updated compliance state.
- a method in response to receiving, by a network appliance, a request to access a protected network resource from an endpoint device that includes a client software module configured to communicate with the network appliance, (a) determining whether a compliance database includes compliance information associated with the endpoint device, (b) when compliance database does not include the compliance information associated with the endpoint device, determining which of the compliance information related to policies associated with the protected network resource to request and requesting all of the determined compliance information from the client software module, and (c) when compliance database includes the compliance information associated with the endpoint device, accessing the compliance information of the endpoint device stored in the database and requesting an update from the endpoint device, and (d) evaluating the compliance of the endpoint device based on the compliance information received from the client software module and providing access when the compliance information satisfies the policies.
- FIG. 1 is a block diagram illustrating an example network system including devices that may be configured to perform various techniques of this disclosure.
- FIG. 2 is a block diagram illustrating an example user device according to the techniques of this disclosure.
- FIG. 3 is a block diagram illustrating an example network appliance according to the techniques of this disclosure.
- FIG. 4 is a block diagram of an example system for authorizing a user device to access one or more protected resources according to the techniques of this disclosure.
- FIG. 5 is a diagram illustrating an example method for authorizing a user device to access one or more protected resources according to the techniques of this disclosure.
- FIG. 6 is a flowchart illustrating an example method for authorizing a user device to access one or more protected resources according to the techniques of this disclosure.
- a network appliance cooperates with a client installed on a user device.
- the network appliance requests a full set of compliance data from the user device.
- the network appliance evaluates the compliance to network policies based on the full set of compliance data.
- the network appliance provides access to the network bases on the compliance state of the user device.
- the network appliance then stores the full set of compliance data in a database.
- the client monitors the user device. For example, the client may monitor the versions and/or setting of applications of interest (e.g., an identity of an antivirus product, settings of the antivirus product, an identity of a firewall product, settings of the firewall product, an identity of a patch management product, settings of the patch management product, a status of an application, a presence of a file on the device, a status of one or more ports, and/or settings of registry keys, etc.).
- the network appliance requests updated compliance data.
- the client responds with the compliance data that has changed since the last compliance data request.
- the network appliance uses this update compliance data and the compliance data stored in the database to evaluate the compliance of the user device.
- the network appliance and the client reduce the volume of data that is being transmitted over the network compared to traditional methods.
- the techniques described below may provide technical benefits to the network. By reducing the volume of information transmitted to evaluate compliance of user devices, for example, the techniques described below provide may reduce the time required access to the network. Additionally, because performing periodic compliance checks on a large number of devices can consume a lot of resources that can otherwise being used, the techniques described here may reduce network congestion and increase an amount of available network resources.
- FIG. 1 is a block diagram illustrating an example network 100 including devices that may be configured to perform various techniques of this disclosure.
- the network 100 may, for example, represent an Intranet infrastructure.
- the network 100 includes a local area network (LAN) 102 and a private network 104 .
- network 100 includes network components 106 - 116 that facilitate access to the private network 104 by user device 118 executing a network client 120 (sometimes referred to as the “client”) connected to the LAN 102 .
- LAN local area network
- client 120 sometimes referred to as the “client”
- the user device 118 may be, for example, a personal computer device (e.g., a smartphone, a smart watch, a tablet, a laptop, a desktop, a workstation, etc.) or another type of networked device (such as, an industrial control system, etc.). In some examples, the user device 118 may be referred to as an “endpoint device.”
- the LAN 102 includes a LAN device 106 (e.g., a wired and/or wireless router, etc.) that manages a connection between the user device 118 and a gateway device 108 .
- the private network 104 includes a network appliance 110 (e.g., a network access control (NAC) device or a virtual private network (VPN) controller, a software defined perimeter (SDP) controller, etc.), an authentication server 112 , a policy server 114 and one or more protected resources 116 .
- the network appliance 110 controls access to the private network 104 .
- the network appliance 110 may be referred to as a “network appliance.”
- the illustrated example includes one private network 104 , but the network appliance 110 may control access to one or more private networks.
- the LAN 102 is remote relative to the private network 104 .
- a user may operate the client 120 on the user device 118 to gain access to protected resources 116 of the private network 104 .
- the client 120 may attempt to connect to a virtual local area network (VLAN) including devices and resources of private network 104 .
- VLAN virtual local area network
- the client 120 may connect to the LAN device 106 , which is communicatively coupled to gateway device 108 .
- the gateway device 108 is a network switch, router, or other node that provides access to other network infrastructures, such as the Internet.
- the gateway device 108 passes, for example, Transmission Control Protocol/Internet Protocol (TCP/IP) network traffic between networks.
- TCP/IP Transmission Control Protocol/Internet Protocol
- the various devices of the LAN 102 and the private network 104 may be interconnected via virtual private network (VPN) tunnels.
- VPN virtual private network
- the gateway device 108 may perform two-way protocol conversions. For example, the gateway device 108 may convert network traffic exiting the LAN 102 that is formatted in a local area network protocol format, e.g., the IEEE 802.11 communication protocol, also called WiFi, or the IEEE 802.3 communication protocol, also called Ethernet, to a network communication protocol that is more suitable for the other portions of the private network 104 , e.g., TCP/IP. The gateway device 108 may also convert network traffic received from regions of the private network 104 that is formatted in the TCP/IP network protocol to a network communication protocol that is suitable for the LAN 102 .
- a local area network protocol format e.g., the IEEE 802.11 communication protocol, also called WiFi, or the IEEE 802.3 communication protocol, also called Ethernet
- the gateway device 108 may also convert network traffic received from regions of the private network 104 that is formatted in the TCP/IP network protocol to a network communication protocol that is suitable for the LAN 102 .
- the network appliance 110 intercepts requests to access to the private network 104 by devices such as the user device 118 or other network devices. On the first request in a predetermined time period (e.g., upon the first access request in a 24-hour period, etc.), the network appliance 110 , in conjunction with the authorization server 112 , authenticates the identity of the user of the user device 118 using user credentials (sometimes referred to as “authentication credentials”) supplied by the client 120 (sometimes referred to as performing an “authentication check”).
- user credentials sometimes referred to as “authentication credentials” supplied by the client 120 (sometimes referred to as performing an “authentication check”.
- the authentication credentials include one or more of (i) a username and password that relate to a particular user of user device 118 , (ii) a digital certificate, (iii) a cryptographic token, (iv) a biometric token, and/or (v) two-device authorization information, etc.
- the user must have previously established a user account on the private networks 104 .
- the network appliance 110 sends the authentication credentials to the authentication server 112 for authentication.
- the authentication credentials are stored by authentication server 112 in order to gain access to private network 104 .
- the network appliance 110 sends the authentication credentials to the authentication server 112 for authentication.
- the network appliance 110 may permit limited access to the private network 104 without providing access to the protected resources 116 .
- the limited access may only allow layer 2 (L2) in the OSI model access.
- the network appliance 110 via the policy server 114 , enforces one or more policies (sometimes referred to as performing an “authorization check”).
- the policy server device 114 operates to enforce network access policies, such as minimum requirements for user authorization to access protected resources and minimum user device authentication requirements related to compliance with current polices of network system 100 .
- these policies may include requiring the user device 118 to have a proper operating system version, recent patches for the operating system or other software installed, an authorized antivirus program, and/or an authorized anti-spyware program, etc.
- the network appliance 110 performs the authorization check before assigning the IP address to the user device 118 (e.g., as part of L2).
- the policies are stored in a policy database 122 .
- the network appliance 110 queries the policy database 122 to retrieve policies that are applicable to the user device 118 .
- the applicable policies are based on, for example, the role and/or clearance level of the user, the type of protected resources the user device 118 has access to, the time of day, the location of the LAN 102 , and/or the type of the user device 118 , etc.
- the network appliance 110 determines that the user device 118 is compliant with the policies, the network appliance 110 grants access to the protected resources 116 .
- the network appliance 110 stores at least a portion of compliance data received from the client 118 into a compliance database 124 .
- the network appliance 110 conducts a periodic authorization and/or authentication check of user device 118 .
- the network appliance 110 may perform authentication and authorization checks every time the user device 118 reconnects to the private network 104 and an authorization check every hour the user device 118 is connected to the private network 104 . During these subsequent reauthorization checks, the network appliance 110 may use the compliance data stored in the compliance database 124 .
- network appliance 110 when the network appliance 110 determines that user device 118 is not compliant with the applicable policies, network appliance 110 sends remediate instructions to user device 118 as to how to comply with the current policies.
- the remediation instructions may direct user device 118 to a remediation server, which may form part of network appliance 110 , or be a separate device (not shown).
- user device 118 may receive data indicating how to come into compliance, e.g., by downloading one or more software tools, updating installed software and/or an installed operating system, or the like.
- the network 100 includes the protected resources 116 stored on one or more network devices (not shown) connected to private network 104 .
- the protected resources 116 may include a user email account, a file server for storing documents, an application server for sharing network-enabled versions of common software applications with many user devices, a network printer, a communications server for handling e-mail exchanges, fax communications, remote access to the network, firewalls and/or other internet services, a database server for storing data and for managing requests to store or access data, or the like, to which user device 118 or the user of user device 118 attempts to gain access.
- network 100 is described as a network including a plurality of network devices, in some examples, one or more of the devices shown in network 100 may be realized by a single network device, such as a network server or appliance operating software modules and/or divided into virtual networks by virtual network partitions that may each provide separate and/or shared network access control services, separate and/or shared policy management services, separate and/or shared data base services, and separate and/or shared protected resources.
- a network server or appliance operating software modules and/or divided into virtual networks by virtual network partitions that may each provide separate and/or shared network access control services, separate and/or shared policy management services, separate and/or shared data base services, and separate and/or shared protected resources.
- FIG. 2 is a block diagram illustrating an example user device 118 operating in accordance to the techniques of this disclosure.
- User device 118 includes various software modules executed by a hardware 202 .
- the hardware 202 includes one or more processors and memory storing and executing instructions, touchscreens, speakers, microphones, cameras, etc.
- An operating system 204 and operating system (OS) application programming interfaces (APIs) 206 may be executed by the hardware 202 .
- the operating system 204 controls device resources and manages various system level operations, while operating system APIs 206 provide interfaces between operating system 204 and various other components and software modules.
- the software modules of FIG. 2 include a network unit 208 , user applications 210 , and the client 120 (sometimes referred to as a “compliance agent”).
- the network unit 208 operates to communicate with an authenticator operating on a local area network controller (e.g., the LAN device 106 of FIG. 1 ).
- the network unit 208 includes, for example, an EAP/EAPOL authenticator are configured to communicate over a data-link layer (L2) communication channel to exchange authorization requests and authorization replies over the L2 communication channel.
- the network unit 208 in exchanges with the LAN device 106 , provides authentication credentials, such as username/password or digital certificate, over the L2 communication channel. Thereafter, the network appliance 110 (e.g., via the authentication server device 112 ) determines whether the credentials are authentic.
- the network unit 208 may also include a DHCP client to (i) broadcast a DHCP request over L2 communication channel and (ii) receive IP address information provided by a DHCP server device (e.g., a DHCP server operating in the private network 104 ).
- a DHCP server device e.g., a DHCP server operating in the private network 104 .
- the user applications 210 are applications that provide utility to a user.
- the user applications 210 include, for example, an email client, a web browser, file system navigators, and/or anti-virus software.
- the client 120 communicates with the network appliance 110 to assist the network appliance 110 in determining whether the user device 118 conforms to applicable policies (e.g., as determined by the policy server 114 of FIG. 1 ).
- the client 120 monitors the operating system 204 and/or the user applications 210 .
- the client 120 may monitor the versions of the OS 204 and/or the user applications 210 , the settings of the user applications 210 , and/or the presence and absence of user applications.
- the client 120 After being authenticated by the network appliance 110 , the client 120 requests access to the private network 104 .
- the client 120 either receives (a) a request for full compliance information (e.g., versions, settings, presence or absence of user applications 210 , etc.) or (b) a request for updated compliance information.
- a request for full compliance information e.g., versions, settings, presence or absence of user applications 210 , etc.
- the client 120 gathers the requested information, sends all of it in a response to the network appliance 110 , and stores, in a compliance log 212 (e.g., in memory), the compliance request. Thereafter, the client 120 monitors and tracks the OS 204 and/or the user applications 210 based on the requested compliance information. When any of the compliance information changes, the client 120 records the change in the compliance log 212 .
- the client 120 determines which items of the compliance information have changed since the last request based on the compliance log 212 , and only sends a response with this changed compliance information.
- FIG. 3 is a block diagram illustrating an example network appliance 110 according to the techniques of this disclosure.
- the network appliance 110 includes a device operating system 302 for controlling device resources 304 (e.g., processor(s), memory, network interfaces, etc.) and managing various system level operations, operating system APIs 306 used as interfaces between operating system 302 and various other applications, including a verification module 308 , and a remediation module 310 .
- device resources 304 e.g., processor(s), memory, network interfaces, etc.
- operating system APIs 306 used as interfaces between operating system 302 and various other applications, including a verification module 308 , and a remediation module 310 .
- the verification module 308 communicates with user device 118 or with the client 120 operating on user device 118 to receive authentication credentials and compliance information from client 120 .
- the verification module 308 performs an authentication check (e.g., in conjunction with the authentication server 112 ) using the authentication credentials and an authorization check (e.g., in conjunction with the policy server 114 ) using the compliance information.
- the user device 118 sends authentication credentials, which authentication server 112 authenticates, via, for example, an L2 channel.
- the verification module 308 determines whether the user device 118 is authorized to access one or more protected resources 116 in the private network 104 . Based on the identity of the user and/or user device 118 (e.g., determined though the authentication check), the verification module 308 , in conjunction with the policy server 114 , determines whether the user device 118 is compliant with applicable policies.
- the verification module 308 requests full compliance information.
- the verification module 308 requests full compliance information periodically (e.g., every hour, every twelve hours, every day, etc.) from the user device 118 when the user device is connected to the private network 104 .
- the verification module 308 may be configured to erase the compliance information stored in the compliance database 124 .
- verification module 308 requests full compliance information when there is no compliance information in the compliance database 124 associated with the user device 118 .
- the verification module 308 requests full compliance information when the user device 118 reconnects to the private network 104 after a threshold period of time (e.g., a day, etc.).
- the request for full compliance information specifies each piece of compliance data needed to evaluate the compliance of the user device 118 .
- the verification module 308 receives responses for each of the pieces of compliance data.
- the verification module 308 uses this compliance data to determine whether the user device 118 is compliant with the applicable policies.
- the verification module 308 stores this compliance data in the compliance database 124 for future use.
- the verification module 308 From time-to-time (e.g., periodically, aperiodically, etc.), the verification module 308 requests updated compliance information from the user device 118 .
- the verification module 308 requests the updated compliance information periodically (e.g., every fifteen minutes, every hour, etc.) while the user device 118 is connected to the private network 104 .
- the verification module 308 may request full compliance data every six hours and updated compliance information every hour.
- the verification module 308 requests updated compliance information when the user device requests access to the private network 104 within a threshold period of time (e.g., fifteen minutes, etc.) after a disconnection.
- the request for updated compliance information includes a request, but does not enumerate each piece of compliance data needed to evaluate the compliance of the user device 118 .
- the verification module 308 receives responses for pieces of compliance data that have changed (e.g., as determined by the client 120 ) since the most recent request for compliance information. The verification module 308 uses this compliance data along with compliance data stored in the compliance database 124 , updating the changed compliance data, to determine whether the user device 118 is compliant with the applicable policies. The verification module 308 updates the compliance data in the compliance database 124 for future use.
- FIG. 4 is a block diagram of an example system for authorizing a user device 118 to access one or more protected resources 116 according to the techniques of this disclosure.
- the user device 118 via the client 120 , sends a request to access the protected resources of the 116 of the private network 104 .
- the network appliance 110 receives the access request.
- the network appliance 110 sends a request to collect compliance information to the client 120 when the network appliance 110 determines that a full compliance request is necessary.
- the network appliance 110 may determine that a full compliance request is necessary, for example, when there is incomplete compliance information associated with the device 118 in the compliance database 124 , when this is the first compliance request received from the client 120 , and/or when a predetermined time has elapsed since the most recent full compliance check.
- the data requested in the full compliance data is determine by the policy server 114 based on the identity of the user of the user device 118 , the protected resources 116 that the user device 118 will access, the time of day, general policies of the private network 104 , etc.
- the client 120 returns the requested compliance information after gather the relevant data (e.g., anti-virus settings, OS version number, browser version, etc.) from the user device 118 .
- the client 120 stores the compliance request and collected compliance information, and monitors the user device 118 for changes in the compliance information.
- the network appliance 110 evaluates the full compliance information provided by the client 120 against applicable policies.
- the network appliance 110 also stores the compliance data in the compliance database 124 . When the compliance data satisfies the applicable policies, the network appliance 110 provides access to one or more of the protected resources 116 of the private network 104 .
- the client 120 requests access to access the protected resources of the 116 of the private network 104 again.
- the network appliance 110 determines that the user device 118 should renew its access.
- the network appliance 110 is configured to request updated compliance information periodically (e.g., every fifteen minutes, every thirty minutes, etc.).
- the network appliance 110 retrieves the compliance information stored in the compliance database 124 associated with the user device 118 .
- the network appliance 110 also requests updated compliance information from the client 120 .
- the request for updated compliance information does not specify the particular compliance data being requested.
- the client 120 Based on the compliance information stored previously that is being monitored by the client 120 , the client 120 only sends compliance information to the network appliance 110 that has changed since the last request for compliance information.
- the network appliance 110 evaluates the user device 118 based on the updated compliance information and the compliance information retrieved form the compliance database 124 .
- the network appliance 110 also updates the compliance data in the compliance database 124 with the updated compliance information received from the client 120 .
- the network appliance 110 provides access to one or more of the protected resources 116 of the private network 104 .
- FIG. 5 is a diagram illustrating an example method for authorizing a user device 118 to access one or more protected resources 116 according to the techniques of this disclosure.
- the user device 118 via the client 120 , sends a request to access the protected resources of the 116 of the private network 104 ( 504 ).
- the network appliance 110 receives the access request and determines the applicable policies for the user device 118 ( 506 ).
- the policies are stored in a policy database 502 .
- the policies include characteristics that, when true, make the policy applicable and requirements to satisfy the policy.
- the characteristics may be based on the characteristics of the user (e.g., security clearance, job title, location, etc.) of the user device 118 (e.g., associated with the credential supplied during the authentication check), the protected resources 116 that the user device 118 will access, the time of day, general policies of the private network 104 , etc.
- the network appliance 110 compiles the requirements and sends request for full compliance information to the client 120 that specifies the requirements ( 508 ).
- the client 120 collects the requested compliance information from the user device 118 ( 510 ).
- the client 120 sends the collected compliance information to the network appliance 110 ( 512 ).
- the network appliance 110 evaluates the full compliance information provided by the client 120 against applicable policies ( 514 ).
- the network appliance 110 also stores the compliance data in the compliance database 124 ( 516 ). When the compliance data satisfies the applicable policies, the network appliance 110 provides access to one or more of the protected resources 116 of the private network 104 ( 518 ). In some examples, after a period of time, the network appliance 110 discards the compliant information stored in the compliance database 124 .
- the client 120 monitors the systems of the mobile device 118 to detect when any of the compliance information changes ( 518 ).
- the client 120 sends the changes (or updated) compliance information to the network appliance 110 ( 520 ).
- the client 120 does not include any compliance information that has not changed.
- the network appliance 110 retrieves the compliance information stored in the compliance database 124 associated with the user device 118 ( 522 ).
- the network appliance 110 requests full compliance information instead (as at 508 ).
- the network appliance 110 evaluates the user device 118 based on the updated compliance information and the compliance information retrieved form the compliance database 124 ( 524 ).
- the network appliance 110 also updates the compliance data in the compliance database 124 with the updated compliance information received from the client 120 ( 526 ). When the compliance information satisfies the applicable policies, the network appliance 110 provides access to one or more of the protected resources 116 of the private network 104 based on, for example, as role assigned to the network device 118 ( 528 ). In some examples, when the compliance information does not satisfy the applicable policies, the network appliance 110 may still provide limited access to the private network 104 .
- FIG. 6 is a flowchart illustrating an example method for authorizing a user device 118 to access one or more protected resources 116 after being authorized to access the private network 104 according to the techniques of this disclosure.
- the client 120 makes an initial request for access to a protected network zone and/or protected resource 116 within the private network 104 ( 602 ).
- the user device 118 may be connecting to the private network 104 for a first time or a threshold time period may have elapsed since the last request.
- the network appliance 110 determines requirements for relevant policies for access ( 604 ). For example, the network appliance 110 may request policies from the policy server 114 applicable to the user device 118 . For example, a policy may require that the user device 118 have a certain antivirus product, settings of the antivirus product, a certain firewall product, settings of the firewall product, a certain patch management product, settings of the patch management product, a certain status of an application (e.g., the application is open, etc.), a certain a file on the device, a certain status of one or more ports, and/or settings of registry keys, etc.
- the network appliance 110 requests all compliance information related to the identified requirements ( 606 ).
- the client 120 collects user device details related to the requirements received from the network appliance 110 ( 608 ). Additionally, the client 120 stores the current state of the user device 118 related to the collected details ( 610 ). For example, if the compliance information requests the current version of an email client, the client 120 saves, in memory, the current version of the email client (i.e., the version of the email client that is sent to the network appliance 110 ). The client 120 sends the collected details (e.g., the requested compliance information) to the network appliance 110 ( 612 ).
- the collected details e.g., the requested compliance information
- the network appliance 110 evaluates the compliance (sometimes referred to as “evaluating the compliance state”) of the user device 118 using the compliance information received from client 120 ( 614 ). For example, the network appliance 110 may compare the status of ports (e.g., opened or closed, etc.) included in the compliance information to the status of ports required by the corresponding policy.
- the network appliance 110 stores the received compliance data in the compliance database 124 ( 616 ). This stored compliance data is associated with the user device 118 .
- the network appliance 110 provides access to the protected network zone and/or protected resources 114 of the private network 104 based on the compliance (e.g., based on the compliance state) of the user device 118 with the applicable policies ( 618 ).
- the network appliance 110 may provide full access to the private network 104 that is afforded to the role assigned to the user device 118 (e.g., when the user device 118 is authenticated). As another example, if the user device 118 is partially compliant with the policies, the network appliance 110 may provide a limited form of access to the private network 104 that based on the role assigned to the user device 118 (e.g., when the user device 118 is authenticated).
- the client 120 monitors for changes on the user device 118 related to the compliance information requested by the network appliance 110 ( 620 ). Subsequently, the client 120 detects that at least one setting related to the requested compliance information has changed on the user device 118 ( 622 ). Based on the updated compliance information, the client 120 provides only compliance information that has changed since the compliance information was last sent to the network appliance 110 ( 624 ).
- the network appliance 110 determines whether the subsequent request in within a proper timeframe ( 626 ).
- the network appliance 110 may be configured to define a threshold timeframe to be an hour. In such an example, if more than an hour has elapsed since the user device 118 was last connected to the private network 104 , the network appliance 110 may determine that the updated compliance information is not within the proper timeframe. If the updated compliance information is not within a proper timeframe (NO at 626 ), the network appliance 110 requests all compliance information from the user device 118 ( 606 ). Otherwise, when the updated compliance information is within the proper timeframe (YES at 626 ), the network appliance 110 retrieves the stored compliance information from the compliance database 124 ( 628 ). The network appliance 110 proceeds determine whether the user device 118 is compliant with the applicable policies ( 614 ). As a result of the updated compliance information, the network appliance 110 may adjusts the access level of the user device 118 .
- processors including one or more microprocessors, digital signal processors (DSPs), application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), or any other equivalent integrated or discrete logic circuitry, as well as any combinations of such components.
- DSPs digital signal processors
- ASICs application specific integrated circuits
- FPGAs field programmable gate arrays
- processors may generally refer to any of the foregoing logic circuitry, alone or in combination with other logic circuitry, or any other equivalent circuitry.
- a control unit comprising hardware may also perform one or more of the techniques of this disclosure.
- Such hardware, software, and firmware may be implemented within the same device or within separate devices to support the various operations and functions described in this disclosure.
- any of the described units, modules or components may be implemented together or separately as discrete but interoperable logic devices. Depiction of different features as modules or units is intended to highlight different functional aspects and does not necessarily imply that such modules or units must be realized by separate hardware or software components. Rather, functionality associated with one or more modules or units may be performed by separate hardware or software components, or integrated within common or separate hardware or software components.
- Computer-readable medium such as a computer-readable storage medium, containing instructions. Instructions embedded or encoded in a computer-readable medium may cause a programmable processor, or other processor, to perform the method, e.g., when the instructions are executed.
- Computer-readable media may include non-transitory computer-readable storage media and transient communication media.
- Computer readable storage media which is tangible and non-transitory, may include random access memory (RAM), read only memory (ROM), programmable read only memory (PROM), erasable programmable read only memory (EPROM), electronically erasable programmable read only memory (EEPROM), flash memory, a hard disk, a CD-ROM, a floppy disk, a cassette, magnetic media, optical media, or other computer-readable storage media.
- RAM random access memory
- ROM read only memory
- PROM programmable read only memory
- EPROM erasable programmable read only memory
- EEPROM electronically erasable programmable read only memory
- flash memory a hard disk, a CD-ROM, a floppy disk, a cassette, magnetic media, optical media, or other computer-readable storage media.
Abstract
Description
Claims (17)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/808,967 US11533320B2 (en) | 2020-03-04 | 2020-03-04 | Optimize compliance evaluation of endpoints |
EP21160590.2A EP3876497A1 (en) | 2020-03-04 | 2021-03-03 | Updated compliance evaluation of endpoints |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/808,967 US11533320B2 (en) | 2020-03-04 | 2020-03-04 | Optimize compliance evaluation of endpoints |
Publications (2)
Publication Number | Publication Date |
---|---|
US20210281576A1 US20210281576A1 (en) | 2021-09-09 |
US11533320B2 true US11533320B2 (en) | 2022-12-20 |
Family
ID=74858251
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/808,967 Active 2041-02-12 US11533320B2 (en) | 2020-03-04 | 2020-03-04 | Optimize compliance evaluation of endpoints |
Country Status (2)
Country | Link |
---|---|
US (1) | US11533320B2 (en) |
EP (1) | EP3876497A1 (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11811765B1 (en) * | 2020-03-31 | 2023-11-07 | Juniper Networks, Inc. | Maximum device access restriction at authenticator level |
US20220210173A1 (en) * | 2020-12-31 | 2022-06-30 | Fortinet, Inc. | Contextual zero trust network access (ztna) based on dynamic security posture insights |
US20220345491A1 (en) * | 2021-04-27 | 2022-10-27 | Fortinet, Inc. | Systems and methods for scalable zero trust security processing |
US11909826B1 (en) | 2022-11-03 | 2024-02-20 | Fortinet, Inc. | Systems and methods for four dimensional network session authorization |
Citations (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040103310A1 (en) * | 2002-11-27 | 2004-05-27 | Sobel William E. | Enforcement of compliance with network security policies |
US20060074600A1 (en) | 2004-09-15 | 2006-04-06 | Sastry Manoj R | Method for providing integrity measurements with their respective time stamps |
US20070239748A1 (en) | 2006-03-29 | 2007-10-11 | Smith Ned M | Management of reference data for platform verification |
US7437568B2 (en) | 2000-08-18 | 2008-10-14 | Hewlett-Packard Development Company, L.P. | Apparatus and method for establishing trust |
US7590684B2 (en) | 2001-07-06 | 2009-09-15 | Check Point Software Technologies, Inc. | System providing methodology for access control with cooperative enforcement |
US7774824B2 (en) | 2004-06-09 | 2010-08-10 | Intel Corporation | Multifactor device authentication |
US8010842B2 (en) | 2008-08-08 | 2011-08-30 | Innopath Software, Inc. | Intelligent mobile device management client |
US8438619B2 (en) | 2007-09-21 | 2013-05-07 | Netmotion Wireless Holdings, Inc. | Network access control |
US8539544B2 (en) | 2008-05-30 | 2013-09-17 | Motorola Mobility Llc | Method of optimizing policy conformance check for a device with a large set of posture attribute combinations |
US8760675B2 (en) | 2011-09-28 | 2014-06-24 | Brother Kogyo Kabushiki Kaisha | Image reading apparatus and image reading system having a reading preference input operation |
US8763077B2 (en) | 2011-10-07 | 2014-06-24 | Duo Security, Inc. | System and method for enforcing a policy for an authenticator device |
US8990891B1 (en) | 2011-04-19 | 2015-03-24 | Pulse Secure, Llc | Provisioning layer two network access for mobile devices |
US9288199B1 (en) | 2014-12-16 | 2016-03-15 | OPSWAT, Inc. | Network access control with compliance policy check |
US20160088021A1 (en) * | 2014-09-24 | 2016-03-24 | Oracle International Corporation | Policy-based compliance management and remediation of devices in an enterprise system |
US9524388B2 (en) | 2011-10-07 | 2016-12-20 | Duo Security, Inc. | System and method for enforcing a policy for an authenticator device |
US9560049B2 (en) | 2008-05-28 | 2017-01-31 | Arris Enterprises, Inc. | Method and system for optimizing network access control |
US20170141961A1 (en) | 2015-11-12 | 2017-05-18 | International Business Machines Corporation | Optimization of cloud compliance services based on compliance actions |
US20170142157A1 (en) | 2015-11-13 | 2017-05-18 | International Business Machines Corporation | Optimization of cloud compliance services based on events and trends |
US9924366B2 (en) | 2009-03-06 | 2018-03-20 | Interdigital Patent Holdings, Inc. | Platform validation and management of wireless devices |
US20180176254A1 (en) | 2016-12-19 | 2018-06-21 | Forescout Technologies, Inc. | Compliance monitoring |
US20180198786A1 (en) | 2017-01-11 | 2018-07-12 | Pulse Secure, Llc | Associating layer 2 and layer 3 sessions for access control |
US10063594B2 (en) | 2014-12-16 | 2018-08-28 | OPSWAT, Inc. | Network access control with compliance policy check |
US20190334921A1 (en) | 2018-04-27 | 2019-10-31 | Oracle International Corporation | Framework for multi-level and multi-factor inline enrollment |
-
2020
- 2020-03-04 US US16/808,967 patent/US11533320B2/en active Active
-
2021
- 2021-03-03 EP EP21160590.2A patent/EP3876497A1/en active Pending
Patent Citations (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7437568B2 (en) | 2000-08-18 | 2008-10-14 | Hewlett-Packard Development Company, L.P. | Apparatus and method for establishing trust |
US7590684B2 (en) | 2001-07-06 | 2009-09-15 | Check Point Software Technologies, Inc. | System providing methodology for access control with cooperative enforcement |
US20040103310A1 (en) * | 2002-11-27 | 2004-05-27 | Sobel William E. | Enforcement of compliance with network security policies |
US7774824B2 (en) | 2004-06-09 | 2010-08-10 | Intel Corporation | Multifactor device authentication |
US20060074600A1 (en) | 2004-09-15 | 2006-04-06 | Sastry Manoj R | Method for providing integrity measurements with their respective time stamps |
US20070239748A1 (en) | 2006-03-29 | 2007-10-11 | Smith Ned M | Management of reference data for platform verification |
US8438619B2 (en) | 2007-09-21 | 2013-05-07 | Netmotion Wireless Holdings, Inc. | Network access control |
US9560049B2 (en) | 2008-05-28 | 2017-01-31 | Arris Enterprises, Inc. | Method and system for optimizing network access control |
US8539544B2 (en) | 2008-05-30 | 2013-09-17 | Motorola Mobility Llc | Method of optimizing policy conformance check for a device with a large set of posture attribute combinations |
US8010842B2 (en) | 2008-08-08 | 2011-08-30 | Innopath Software, Inc. | Intelligent mobile device management client |
US9924366B2 (en) | 2009-03-06 | 2018-03-20 | Interdigital Patent Holdings, Inc. | Platform validation and management of wireless devices |
US8990891B1 (en) | 2011-04-19 | 2015-03-24 | Pulse Secure, Llc | Provisioning layer two network access for mobile devices |
US8760675B2 (en) | 2011-09-28 | 2014-06-24 | Brother Kogyo Kabushiki Kaisha | Image reading apparatus and image reading system having a reading preference input operation |
US9524388B2 (en) | 2011-10-07 | 2016-12-20 | Duo Security, Inc. | System and method for enforcing a policy for an authenticator device |
US8763077B2 (en) | 2011-10-07 | 2014-06-24 | Duo Security, Inc. | System and method for enforcing a policy for an authenticator device |
US20160088021A1 (en) * | 2014-09-24 | 2016-03-24 | Oracle International Corporation | Policy-based compliance management and remediation of devices in an enterprise system |
US9288199B1 (en) | 2014-12-16 | 2016-03-15 | OPSWAT, Inc. | Network access control with compliance policy check |
US10063594B2 (en) | 2014-12-16 | 2018-08-28 | OPSWAT, Inc. | Network access control with compliance policy check |
US20170141961A1 (en) | 2015-11-12 | 2017-05-18 | International Business Machines Corporation | Optimization of cloud compliance services based on compliance actions |
US20170142157A1 (en) | 2015-11-13 | 2017-05-18 | International Business Machines Corporation | Optimization of cloud compliance services based on events and trends |
US20180176254A1 (en) | 2016-12-19 | 2018-06-21 | Forescout Technologies, Inc. | Compliance monitoring |
US20180198786A1 (en) | 2017-01-11 | 2018-07-12 | Pulse Secure, Llc | Associating layer 2 and layer 3 sessions for access control |
US20190334921A1 (en) | 2018-04-27 | 2019-10-31 | Oracle International Corporation | Framework for multi-level and multi-factor inline enrollment |
Non-Patent Citations (1)
Title |
---|
European Search Report for Application No. 21160590.2-1213, dated Aug. 2, 2021, 3 pages. |
Also Published As
Publication number | Publication date |
---|---|
EP3876497A1 (en) | 2021-09-08 |
US20210281576A1 (en) | 2021-09-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11509645B2 (en) | Device authentication based upon tunnel client network requests | |
US11533320B2 (en) | Optimize compliance evaluation of endpoints | |
US11848962B2 (en) | Device authentication based upon tunnel client network requests | |
US11063928B2 (en) | System and method for transferring device identifying information | |
US10193888B1 (en) | Dynamic authentication in alternate operating environment | |
US7703126B2 (en) | Hierarchical trust based posture reporting and policy enforcement | |
US9729514B2 (en) | Method and system of a secure access gateway | |
EP2337296B1 (en) | Session migration between network policy servers | |
US20180198786A1 (en) | Associating layer 2 and layer 3 sessions for access control | |
US11405378B2 (en) | Post-connection client certificate authentication | |
US9548982B1 (en) | Secure controlled access to authentication servers | |
US8151338B2 (en) | Method and system for continuously serving authentication requests | |
US20200052908A1 (en) | Method and system for managing public-key client certificates | |
US20080320584A1 (en) | Firewall control system | |
US10375055B2 (en) | Device authentication based upon tunnel client network requests | |
US11108781B2 (en) | Systems and methods for managing device privileges | |
US9239915B2 (en) | Synchronizing between host and management co-processor for network access control |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: PULSE SECURE, LLC, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SHRAVAN, BANDAM RADHA;KOETEN, ROBERT;KAIMAL, BIJU;SIGNING DATES FROM 20200205 TO 20200303;REEL/FRAME:052013/0751 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
AS | Assignment |
Owner name: KKR LOAN ADMINISTRATION SERVICES LLC, AS COLLATERAL AGENT, NEW YORK Free format text: SECURITY INTEREST;ASSIGNOR:PULSE SECURE, LLC;REEL/FRAME:053638/0220 Effective date: 20200824 |
|
AS | Assignment |
Owner name: PULSE SECURE, LLC, CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST : RECORDED AT REEL/FRAME - 053638-0220;ASSIGNOR:KKR LOAN ADMINISTRATION SERVICES LLC;REEL/FRAME:054559/0368 Effective date: 20201201 |
|
AS | Assignment |
Owner name: BANK OF AMERICA, N.A., AS COLLATERAL AGENT, ILLINOIS Free format text: SECURITY INTEREST;ASSIGNORS:CELLSEC, INC.;PULSE SECURE, LLC;INVANTI, INC.;AND OTHERS;REEL/FRAME:054665/0873 Effective date: 20201201 Owner name: MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT, MARYLAND Free format text: SECURITY INTEREST;ASSIGNORS:CELLSEC, INC.;PULSE SECURE, LLC;IVANTI, INC.;AND OTHERS;REEL/FRAME:054665/0062 Effective date: 20201201 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |